NJ A3231

Bill

Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.

Introduced
01/13/2026

In Committee
01/13/2026

Crossed Over

Passed

Dead

Introduced Session

2026-2027 Regular Session

Bill Summary

This bill would require sensitive businesses to report certain cybersecurity incidents promptly to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). For the purposes of this bill, a "cybersecurity incident" means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers, or information systems. The bill would direct the NJCCIC to audit the relevant business no later than 30 days after being made aware of an incident. Cybersecurity audits would be conducted by a qualified and independent cybersecurity company at the sensitive business' expense.

AI Summary

This bill requires businesses in the financial, essential infrastructure, and healthcare industries, referred to as "sensitive businesses," to promptly report any "cybersecurity incident" to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). A cybersecurity incident is defined as any event through a computer network that harms the security, privacy, or accessibility of computer systems, networks, or controlled infrastructure. This reporting obligation applies to incidents that compromise the confidentiality, integrity, or availability of the business's information systems or data, as well as any incident affecting their industrial control systems, which are used to manage industrial processes like manufacturing or distribution, if such incidents disrupt services or damage infrastructure. Following a report, the NJCCIC must arrange for an audit of the business's cybersecurity program and response to the incident within 30 days, to be conducted by an independent cybersecurity firm at the business's expense, with the goal of identifying threats and improving defenses against future incidents.

Committee Categories

Business and Industry

Sponsors (1)

Dan Hutchison (D)*,

Last Action

Introduced, Referred to Assembly Science, Innovation and Technology Committee (on 01/13/2026)

Official Document

https://www.njleg.state.nj.us/bill-search/2026/A3231

(2 Companion Bills)

Version:

Document Type	Source Location
State Bill Page	https://www.njleg.state.nj.us/bill-search/2026/A3231
BillText	https://pub.njleg.gov/Bills/2026/A3500/3231_I1.HTM

Bill	Bill Name	Last Action	Type
A2199	Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.	Introduced, Referred to Assembly Science, Innovation and Technology Committee	Carry Over
S3101	Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.	Combined with S3100 (SCS)	Carry Over

Bill > A3231

summary

Introduced Session

Bill Summary

AI Summary

Committee Categories

Sponsors (1)

Last Action

Official Document

bill text

bill summary

bill summary

bill summary